Configure advanced AppViz properties
This topic describes the advanced configuration available for AppViz in the user.properties file on the AppViz server.
Access and edit the user.properties file
The user.propertiesAppViz configuration file is located on the AppViz server, at /home/bflow/config/user.properties.
Do the following:
- Open a terminal and log in to the AppViz server as user root.
- Browse to an open /home/bflow/config/user.properties for editing.
-
Add or edit configuration parameters as needed. If the parameter is missing, add the parameter name and value on a new line.
For details, see Advanced AppViz property reference.
- When you're finished, save the file and restart AppViz. For more details, see Restart AppViz.
Advanced AppViz property reference
This section describes the advanced AppViz properties available for editing in the user.properties file.
Integer. The number of advance search results initially displayed on an advanced search results page.
For example, the following sets the number of advanced search results initially displayed to 15:
advanced-search.results.page_size=15
Integer. Defines the number of recent applications displayed in the applications menu.
application.recent.page_size=15
Default value: 10
Integer. Defines the number of application search results shown by default.
application.search.page_size=100
Default value: 100
Boolean. Determines whether AppChange change request handling is disabled, including all change request creation and all change request-related tabs.
Supported values:
- True. Change requests are disabled from AppChange
- False. Change requests are enabled in AppChange
Comma-separated list. Defines the FireFlow change request statuses that AppViz status changes will be triggered for.
By default, pending statuses for objects and applications in AppViz transition to their next status once FireFlow change requests reach the reconcile, pending match, or resolved statsues.
For example, the following sets the AppViz status to change when the FireFlow change request reaches the pending match, matched or resolved status:
changerequest.status.resolved=pending match,matched,resolved
Determines whether application status is constantly refreshed.
- True. (Default) Enables constant application refreshes.
- False. Disables constant application refreshes.
Tip: Use together with risk.enable to enable automatic data refreshes.
Integer. Determines the maximum number of flows combined per application during a discovery process.
Default: 50
For example, the following sets the default value to 60 flows:
discovery.max_flows_per_application=60
Tip: The larger the number of maximum flows per application, the more specific each flow will be. The smaller the maximum number of flows per application, the more AppViz will optimize and combine flows.
String. Defines the minimum percentage of the IP addresses required to be found in a specific CIDR, for the CIDR to be suggested as a source/destination value.
This is relevant for the optimization process performed during discovery from traffic logs.
Supported values |
Supported values include:
|
Default value |
0.3 This value determines that by default, the IP addresses in the traffic logs must be at least 30% of the CIDR to be suggested as a source/destination value. |
Default: 10
endpoint.search.page_size=100
Default: 100
Boolean. Determines whether AppChange opens change requests in FireFlow for specific device objects by adding the device name to the object in the source/destination value.
Supported values:
- True. AppChange appends the device name to the object in the source/destination.
- False. AppChange does not append the device name to the object.
Note: This feature must be used together with the Set($StoreFirewallSuffixInHostGroup, '1')FireFlow command.
Boolean. Determines whether AppChange passes the names or content of the network objects when opening change requests in FireFlow.
Supported values:
- True. AppChange passes the content of the network objects.
- False. (Default) AppChange passes the network object name.
The value determines whether AppViz compacts the IP addresses before opening a Change Request in order to minimize the number of actions the Change Request needs to execute.
For example:
fireflow.ranges.compact=true
Boolean. Determines whether AppChange passes the names or content of the service objects when opening change requests in FireFlow.
Supported values:
- True. AppChange passes the content of the service objects.
- False. (Default) AppChange passes the service object name.
Boolean. Determines whether AppViz differentiates between traffic that is explicitly allowed by a rule and traffic that is allowed because it is unprotected or unfiltered.
Supported values:
- True. AppViz differentiates between explicitly allowed traffic and unprotected/unfiltered traffic.
- False. (Default). AppViz does not differentiate between allowed traffic types.
For example, you may want to enable this feature when using micro-management within subnets.
flow.connectivity.display_unprotected=true
When configured, AppViz indicates this in the FLOWS tab as follows:
- All allowed flows appear with a green connectivity indicator.
- All unprotected flows appear with a striped indicator.
For example:
Additionally, this information is available in:
Flow exports / API responses |
When AppViz provides connectivity information about flows, the values will specify whether the flow is "allowed" (protected) or "unprotected". Note: By default, AppViz does not include connectivity information in flow exports. For details, see flow.connectivity.export and Export flows directly from AFA. |
Application search abilities |
When performing an advanced search for applications By Connectivity, you will have the option to specify whether to search for applications with allowed flows that are protected or allowed flows that are unprotected. For more details, see Business applications. Note: Unprotected flow detection has no impact on application connectivity status, only flow connectivity status. An application whose flows are all allowed (protected or unprotected) will always have the connectivity status Allowed. |
Boolean. Determines whether flow connectivity data is exported together with an application's flows.
-
True. Connectivity data is exported together with the flows.
-
False. (Default) No connectivity data is exported.
When configured , exported connectivity data includes any of the following values:
- Allowed
- Blocked
- Partially blocked
- No connectivity information
- Unprotected.
Note: Unprotected appears only when AppViz is configured to detect unprotected flows.
Otherwise, all allowed traffic is assigned the Allowed value. For details, see flow.connectivity.display_unprotected .
String. Determines the delimiter used in CSV import files.
Default value: , (comma)
For example, change this to a colon if needed:
import.delimiter=:
String. Defines the encoding used for imported files.
Default value: UTF-8
String. Determines the order of preference used when optimizing network objects from different sources.
During discovery, if more than one network object is found with the same name, AppViz selects the object to use based on origin preference configured.
Supported values |
Source values include: |
Default value |
Imported, BusinessFlow, Device |
For example, the following sets the priority sequence to BusinessFlow, Imported, Device :
network_entity.origin.order=BusinessFlow,Imported,Device
Note: Network objects that originate from the same place cannot have the same name, except for device objects. If two device objects with the same name (but different content) exist, the CSV file validation will fail.
If two device objects defined on different devices have the same name and the same content, AppViz will treat them as one object and validation will succeed.
Boolean. Determines whether AppViz is enabled to define device object definitions on the device using AppChange.
Supported values:
- True. Enables AppViz to define device object definitions on the device.
- False. Disables the ability for AppViz to define device object definitions on the device.
String. Determines the permissions granted by default to all AppViz users.
Multiple values separated with commas.
For example, the following sets the initial permissions for all users to create applications and view all applications:
permissions.initial=ROLE_CREATE_APPLICATION,ROLE_VIEW_ALL_APPLICATION
For more details, see AppViz permission reference.
Default values:
All users |
Default permissions for all users include:
|
Privileged users | Privileged users have additional permissions to update risk information by default. |
Administrators |
Administrator users receive all permissions by default. |
Determines the permissions granted by default to AFA-only users.
For example, the following sets the initial permissions for AFA users to view risk information and update vulnerability information:
permissions.initial.afa_user=ROLE_VIEW_RISK,ROLE_UPDATE_VULNERABILITY
For more details, see AppViz permission reference.
Determines whether risk checks are run automatically when a pending revision becomes active.
- True. (Default) Enables automatic risk checks.
- False. Disables automatic risk checks.
Tip: Use together with connectivity.enable to enable automatic data refreshes.
A semi-colon delimited list of networks, in CIDR format. Defines the internal/private zone networks.
Default value: 10.0.0.0/8;172.16.0.0/12;92.168.0.0/16
For example, the following sets the internal zone to 172.16.0.0/12 and 92.168.0.0/16:
security_zones.default_internal_network_ranges=172.16.0.0/12;192.168.0.0/16
Defines the number of services displayed.
service.recent.page_size=10
Default 10.
Defines the number of service search results displayed.
service.search.page_size=100
Default 100
String. Determines ownership of shared flows, which are general or partial flows that may be relevant to many applications.
Note: Shared flows specify only a source or destination, leaving the remaining field only with a placeholder value. When an application subscribes to another application's shared flows, the subscribing application specifies a value for the placeholder.
Supported values include:
sharingApplication (Default) |
Determines that the application with the shared flows is defined as the flow owner. Editing a shared flow or a subscribed flow creates an application draft for the application with the shared flow. |
combined |
Determines that ownership is shared across several applications.
The application with the shared flow and the application with the subscribed flow will both reflect the risks, connectivity, etc., derived from the subscribed flow. Note: When a change is pending for traffic relevant to a shared or subscribed flow, the flows cannot be edited, deleted or added in any application. |
For more details, see Application flows.
Integer. Determines the maximum upload size, in MB.
For example:
upload.max_size=100
AppViz permission reference
Permission name |
Permission to... |
---|---|
ROLE_APPLY_DRAFT | Apply application drafts. |
ROLE_CREATE_APPLICATION | Create a new application. |
ROLE_CREATE_LABELS | Create labels. |
ROLE_CREATE_SHARED_FLOWS | Create a shared flow. |
ROLE_EDIT_ALL_APPLICATION | Edit all applications. |
ROLE_EDIT_APPLICATION_INFORMATION | Edit application custom fields, labels, and contacts. |
ROLE_EDIT_NETWORK_OBJECTS | Edit network objects. |
ROLE_EDIT_SERVICE_OBJECTS | Edit service objects. |
ROLE_SYNC_OBJECT | Run an update process for a device object. |
ROLE_UPDATE_CONNECTIVITY | Update connectivity. |
ROLE_UPDATE_RISK | Update risk information. |
ROLE_UPDATE_VULNERABILITY | Update vulnerability |
ROLE_VIEW_ACTIVITY_LOG | View activity log information for applications and network objects. |
ROLE_VIEW_ALL_APPLICATION | View all applications. |
ROLE_VIEW_CHANGE_REQUESTS | View change request information for applications, network objects, and service objects. |
ROLE_VIEW_CONNECTIVITY | View connectivity. |
ROLE_VIEW_RISK | View risk information. |
ROLE_VIEW_VULNERABILITY | View vulnerability information for applications. |